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Abstract 

The paper gives a polynomial description of the Rijndael Advanced Encryption 
Standard recently adopted by the National Institute of Standards and Technology. 
Special attention is given to the structure of the S-Box. 

Index Terms: Advanced encryption standard, Rijndael algorithm, symmetric-key 
encryption. 

1 Introduction 

On November 26, 2001 the National Institute of Standards and Technology (NIST) an- 
nounced that the Rijndael encryption algorithm becomes the Advance Encryption Standard. 
The Rijndael system will be a Federal Information Processing Standard (FIPS) to be used 
by U.S. Government organizations (and others) to protect sensitive information JO. Detailed 
information can be found at the website: 

http : // csrc .nist .gov / encryption /aes/ rij ndael/ 

The description || ffl supplied by Joan Daemen and Vincent Rijmen, the inventors of the 
Rijndael encryption algorithm, is very detailed and a reader new to the subject will probably 
need some time to understand all steps in the algorithm. 

In this paper we show how the whole algorithm can be quite elegantly described through 
a sequence of algebraic manipulations in a finite ring. We hope that this description will be 
helpful in the proliferation of this new important standard. 

*Supported in part by NSF grant DMS-00-72383. 



We are aware of some attempts (e.g. []5], |J) where authors tried to explore an algebraic 
description of the so called 'S-Box', the main non-linear part of the Rijndael system. We 
are explaining in this paper why the 'S-Box' can be described through a sparse polynomial. 
There is however no attempt done to explore this description further in order to find any 
weakness of the system. We also derive the interpolation polynomial of the inverse S-Box 
and we describe the cycle decomposition of the S-Box. The most detailed description of 
Rijndael can be found in the new book [|]]. This book gives many details on the design 
philosophy and implementation aspects, something we do not address in this paper. During 
the preparation of this paper we found the description of Rijndael as given in useful. 
We want to thank U. Maurer for pointing us to an algebraic description of Rijndael recently 
provided by H. W. Lenstra ||. 

2 The Rijndael Algorithm 

Let Z 2 = {0, 1} be the binary field and consider the irreducible polynomial 

H(z) := z s + z A + z 3 + z + 1 G Z 2 [z}. 

Let F := ^[z]/ < fi(z) >= GF(256) be the Galois field of 2 8 elements and consider the 
ideal: 

/ :=< X A + l,y 4 + l,fi(z) >C Z 2 [x,y,z]. 

We will describe the Rijndael algorithm through a sequence of polynomial manipulations 
inside the finite ring 

R := Z 2 [x, y, z)/I = ¥[x, y)/ < x 4 + 1, y 4 + 1 > . (2.1) 

The ring R has simultaneously the structure of a finite Z2-algebra and the structure of a 
finite F-algebra as above description makes it clear. The monomials 

{x { y j z k | < i,j < 3, < k < 7} 

form a Z 2 -basis of the ring (algebra) R. In particular dim^ 2 R = 128, i.e. \R\ = 2 128 . Com- 
putations in the ring R can be done very efficiently Addition in R is done componentwise 
and multiplication in R is done through multiplication in Z 2 [x, y,z] followed by reduction 
modulo the ideal /. 

Remark 2.1 One readily verifies that x 4 + 1, y A + 1, fi(z) forms a reduced Grobner basis of 
the ideal / which is also a zero- dimensional ideal. As a consequence the reduction modulo I 
is very easy. More details about finite dimensional algebras and zero dimensional ideals can 
be found in [0, Chapter 2]. 

Whenever r G R is an element we will define elements G F and G ¥[x}/ < x 4 + 1 > 
through: 

3 3 3 / 3 \ 3 

i=0 j=0 j=0 \i=0 J j=0 
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On an abstract level a secret key crypto-system consist of a message space M, a cipher 
space C and a key space K together with an encryption map 



e:M x K — >C 

and a decryption map 

5 : C x K — > M 

such that S(e(m, k), k) = m for all m £ M and /c G K. It should be computationally not 
feasible to compute the secret key k G K from a sequence of plain-text/cipher-text pairs 
( m (*) jC (t) =£(W*),£;)), t = 1,2,.... 

In the Rijndael AES system one has the possibility to work with secret keys consisting 
of 128 bits, 192 bits or 256 bits respectively. We will describe the system when \K\ = 2 128 
and will indicate in Section |] how to adapt the algebraic description to the other situations. 
For the Rijndael algorithm we define 

K = M = C = R. 
Crucial for the description will be the following polynomial: 

ipiu) := {z 2 + 1) m 254 + (z 3 + 1) u 253 + (z 7 + z 6 + z 5 + z 4 + z 3 + l) u 251 

+ +z 2 + 1 ) M 247 + ^7 + Z 6 + Z B +Z A + ^ ^239 + ^223 + ^7 + J + ^ + % 2 + ^ ^191 

+ (z 7 + z 3 + z 2 + z + 1) u 127 + (z 6 + z 5 + z + 1) G F[u]. (2.3) 

Assume Alice and Bob share a common secret key k G R and Alice wants to encrypt the 
message m G R. In a first step both Alice and Bob do a key expansion which will result in 
10 elements k {t) G R t = 0, . . . ,9. 

Key expansion: Using the notation introduced in Equation (|2.2j) , both Alice and Bob 
compute recursively 10 elements k^ G R, t = 0, . . . , 9 in the following way: 

fc<°> := k 

A# +1) := (j2 V( k tl) x *) ^ + + k ( Q } for t = 0, . . . , 9. 
kf +1) := kf^ ] + kf ] for t = 0, . . . , 9, i = 1,2,3. 

In order to describe the actual encryption algorithm we define the ring element: 

7 := (z + l)x 3 + x 2 + x + z G R. 
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Rijndael encryption algorithm: Using the round keys k^' G R and starting with the 
message m G R Alice computes recursively: 

m (°) : = m + k {0) 

3 3 

m (t+i) ;= 7 ipimf^xY^ + k (t+1) for t = 0, . . . , 8. 

c:=m( 10 ) := ^ ^(m^zV^ + fc (10) 
i=o i=o 

The cipher to be transmitted by Alice is c. Note that in the 10th round no multiplication 
by 7 happens. This will make sure that the decryption process follows formally the same 
algebraic process as we will show next. 

Rijndael decryption algorithm: The polynomial ip introduced in ( |2.3| ) is a permutation 
polynomial describing a permutation of the elements of F. See Sections |3|, f| for more details. 

There is a unique permutation polynomial ip(u) G ¥[u] of degree at most 255 such that 
Lpoifj = ipo(p = idr and we will derive this polynomial in Section f|. The element 7 G R is 
invertible with 

7 - x : = ( z 3 + z + l)x 3 + (z 3 + z 2 + l)x 2 + 3 + l)x + (z 3 + z 2 + z) G R. 

Using the map ip, the element 7 _1 and the round keys k^' Bob can decipher the message m 
of Alice through: 

c (°) : = c + k^ 

3 3 

c (t+i) ;= 7 - 1 ^^V(ci3)^ <+i +7~ 1 * (9 "* ) fort = 0,... ,8. 

i=0 j=0 

c do) ;= j2j2^)y y i+j + k (o) 

One readily verifies that m = c*- 10 -* . Note that formally both the encryption schedule and 
the decryption schedule follow the same sequence of transformations, ip is simply replaced 
by 1/;, multiplication by 7 is substituted with multiplication by 7 _1 and the key schedule is 
changed replacing k^\t = 0, . . . ,10 with k^ w \ 7 _1 fc^, . . . , 7 ~ 1 fc^ 1 \ k^°\ 

Remark 2.2 Both encryption and decryption can be done very efficiently. In practice the 
polynomials <p and ip are not evaluated and a look up table describing the permutations 
(p,ip : F — ► F is used instead. Substituting exponents x l y : ' ^ x *y3i+j d oes no t require 
any arithmetic and adding a round key k^ t+1 ' is efficiently done through Boolean XOR 
operations. Arithmetic computations are required when multiplying by 7 respectively by 
7 _1 . Since in general multiplication by 7 is slightly easier than multiplication by 7^ the 
decryption algorithm takes in general slightly longer than the encryption algorithm. 
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Remark 2.3 (Compare with [HL page 55] and M). 7 was chosen such that multiplication 
by 7 can be done with a minimal branch number and in the same time a good diffusion of 
¥[x}/ < x 4 + 1 > is guaranteed. We are not convinced that the choice of 7 was optimal for 
the latter as it has a very small order in R. A direct computation shows that 7 has order 4. 
With this we also have an easy expression for 7 _1 : 

7 -! = 7 3 = 7 2 7 = ( z 2 x 2 + z 2 + 1)7. (2.4) 

Instead of multiplying by 7 ~ 1 it is therefore possible to multiply three times by 7 or alter- 
natively one can pre-process the multiplication of 7 by the multiplication of (z 2 x 2 + z 2 + 1). 
This is more efficient than multiplying the full expression by 7 -1 . 



Remark 2.4 We made a computer search for interesting factorizations of 7 -1 . It seems 
that the factorization ( |2.4|) is probably the easiest for computation purposes. The following 
is a related interesting factorization which we found: 



1 



\zx' 



+ z + l)(x 3 + 



[z 2 + l)x 2 + x + z 2 ) 



(2.5) 



3 Relation to the Standard Description 

In the original description of the Rijndael algorithm the ring R was not used. Instead sets 
of elements having 128 bits were described by a 4 x 4 array each containing one byte, i.e. 8 
bits. In order to relate the descriptions assign to each element r = Y^=o Sj=o r i,j x% V^ the 
4x4 array 





r o,i 


ro,2 


r ,3 


r i,o 




n,2 


r l,3 


»"2,0 


r 2,l 




^2,3 


?~3,0 


r 3,l 


^3,2 


^3,3 



where each element ry G F is viewed as one byte. Using a specific schedule the following 
operations are applied: 



S-Box Transformation: In this operation each element G F is changed using a per- 
mutation ip of the symmetric group of 256 elements. The permutation ip decomposes into 
three permutations: 

r 1 if /^o, 

if / = 0. [ } 



¥1 ■ 


F - 


-F, 


/ 


L : 


F - 




/ 


fz ■ 


F - 




./ 



■> (z 4 + z 3 + z 2 + z + l)f mod z 8 + 1. (3.2) 
+ z 6 + z 5 + z + 1 + /. (3.3) 

The permutation ip is defined as cp :— (f3 o L o (p x . It is possible to describe the permutation 
ip using a permutation polynomial. For this note that any permutation of F can also be 
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described through a unique interpolation polynomial (an element of F[it]) having degree at 
most 255. We will denote this unique polynomial describing the permutation ip with <p(u). 
The context will always make it clear if we view ip as a permutation or as a polynomial 
<p(u) G ¥[u}. 

This unique permutation polynomial can be computed in the following way. If a ^ 
then 



254 



T a (u) := u)^ 

i=0 

is the unique Lagrange interpolant having the property that 

TJB) = { 1 if a = P > 
\ otherwise. 

If a = then T a (u) = u 255 + 1 is the unique Lagrange interpolant. The unique polyno- 
mial p(u) G ¥[u] is then readily computed using a symbolic algebra program as <p(u) = 
SaeF <p(. a )T a (u). This computation was already done by Daemen and Rijmen in their orig- 
inal proposal and the polynomial <p can be found in || Subsection 8.5.] 

The ShiftRow Transformation: In this operation the bytes of the ith row are cyclically 
shifted by i positions. Algebraically this operation has a simple interpretation. For this 
consider an element r = r(x,y) G R as described in ( |2.2|) . The ShiftRow corresponds then 
simply to the transformation: 

r = r(x, y) i — > r(xy 3 , y). 

This then translates in the encryption algorithm to replace the monom x % yi with the monom 
x i y 3i+ ^. The inverse of the ShiftRow transformation is r = r(x,y) i — > r(xy,y) which trans- 
lates into the replacement of x l yi with the monom x l y t+3 . 

The MixColumn Transformation: In this transformation each column rj = Y^=o r i,j x% 
is multiplied by the element 7. 

Add Round Key: In this step the i-th round key is added. 

The schedule of operation is as follows: In the 'zero round' the round key is simply 
added. In rounds 1-9 do the operations 'S-Box', 'ShiftRow', 'MixColumn' and 'Add Round 
Key'. In the 10th round do only 'S-Box', 'ShiftRow' and 'Add Round Key'. We have given 
the algebraic description for this schedule. 

3.1 AES-192 and AES-256 

Until now we described Rijndael when the key size and the message size have 128 bits. This 
system is referred to as AES-128. In the original description [|3| one had the possibility to 
vary both the size of the message blocks and the size of the secret keys. 
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In the adopted standard [[]]] the size of the message blocks are always taken to be 128 
bits. In AES-192 and in AES-256 the secret key size consists of 192 respectively 256 bits. 
In order to run these presumably more secure algorithms it will be necessary to change the 
key expansion schedule of the last section. In AES-192 13 elements fc® G R, t = 0, . . . , 12 
are computed from the original 192 bits and the Rijndael algorithm runs over 12 rounds. In 
AES-256 15 elements fcW e R, t = 0, . . . , 14 are computed from the original 192 bits and 
the Rijndael algorithm runs over 14 rounds. Other than this there seems to be no difference 
and details can be found in |], £|. 



4 The Structure of the S-Box 

Except for the transformation of the S-Box all transformations are Z2 linear. An under- 
standing of the S-Box is therefore most crucial. Surprisingly the permutation polynomial 
(p(u) is very sparse and we explain in this section why this is the case. 

The permutation (p is the composition of the maps (fx, L and ^3. We will describe the 
permutation polynomial for each of them. 

The permutation polynomial for the map (pi is simply given by (pi(u) = u 254 . 

The permutation L is a Z2 linear map. Because of this reason there is a unique linearized 
polynomial (see || Chapter 3]) C{u) = X]J=o ^i"" 2 ' sucn that 

£(/) = L(f) 

for all / G F. If a±, . . . , ag is a any basis of F over the prime field Z2 then it is possible to 
compute the coefficients Ao, Aj, . . . , A7 through the linear equations: 



i=0 



This system of linear equations can be solved explicitly. For this let fti, . . . , /3 8 be the 
dual basis (see e.g. || Chapter 3]) of a%, . . . ,a$ characterized through the requirement: 



Tr ¥/Z2 (a i (3 j 



Introduce the matrices: 
/ 

A : = 



Oil 


ft 'l 


a\ . . 


2 7 
. Ct{ 






4 


2 7 
■ "2 


o 8 




4 

"8 •• 


2 7 
• "8 





if 


i = j, 






{0 


if 








\ 




( Pi 


P2 ■ 


• p 8 \ 






PI 


PI ■ 


■ Pi 


B 




Pi 


PI ■ 


■ Pi 


I 




\Pf 


PI 7 ■ 


■ Pi 7 ) 



Assuming that /3i, . . . ,(3$ is the dual basis of a±, ... , a§ simply means that AB = I 8 . 
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Let S be the change of basis transformation such that 

/ ai \ / 1 \ 



«2 



\ «8 / 



5 



and consider the matrix 



L :-- 



( 1 











1 


1 


1 


1 


\ 


1 


1 











1 


1 


1 




1 


1 


1 











1 


1 




1 


1 


1 


1 











1 




1 


1 


1 


1 


1 
















1 


1 


1 


1 


1 
















1 


1 


1 


1 


1 







v° 








1 


1 


1 


1 


1 


/ 



which describes the linear map introduced in 



with respect to the polynomial basis 



l,z,z 2 



z 7 . Then one has: 



Lemma 4.1 The coefficients Ao,Ai, ... , A7 of the permutation polynomial C(u) are given 
as: 



/A \ 
Ai 



BSL'S- 1 



( a x \ 

V "8 J 



(4.1) 



Proof: SLfS 1 describes the change of basis of the linear map L with regard to the basis 
ai,... ,a 8 . □ 



In order to explicitly compute the coefficients Ao, Ai, . . . , A7 we can work with the poly- 
nomial basis 1, z, z 2 , . . . , z 7 (in which case S = Is)- Alternatively we can work with a normal 
basis. We explain the computation for a normal basis. Let 

a ■= z 5 + 1 G F. 

One verifies e.g. with the computer program Maple that a is a primitive of F and that 
{«i := a 2 ' I % = 1, ... ,8} forms a normal basis. Such bases are called primitive normal 
bases, a is special in the sense that it is the first element of F with respect to lexicographic 
order which is both a primitive and the generator of a normal basis. 

Remark 4.2 The existence of primitive normal bases has been established by Lenstra and 
Schoof for every finite extension GF(g m ) of a finite field GF(g). Probably the nicest 
possible basis a finite field can have is a primitive normal basis which is also self- dual. We 
verified by computer search that GF(256) does not have a self-dual, primitive normal basis. 
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The dual basis of {a±, . . . ,ag} is readily computed using Maple as {f3j := (3 2 
1, . . . ,8}, where j3 = z 5 + z 4 + z 2 + 1. It is a well known fact that the dual basis of a normal 
basis is normal as well. The change of basis transformation is computed in this 



s 



( 1 














1 





o\ 


1 





1 


1 





1 


1 








1 


1 





1 








1 


1 





1 





1 








1 














1 








1 


1 




















1 


1 


1 





1 


1 








1 







1 











1 





With this one readily computes: 



/ 



/A \ 
Ai 

\X 7 J 



( a \ 

2 



BSL l S- 



Q 



V 



z 2 + l 
z 3 + 1 

z 7 + z 6 + z 5 + z 4 + z 3 + 1 
z 5 + z 2 + 1 
z 7 + z 6 + z 5 + z 4 + z 2 

1 

z 7 + z 5 + z 4 + z 2 + 1 
z 7 + z 3 + z 2 + z + 1 



(4.2) 



/ 



The elements Aj already agree with the non-constant coefficients of if introduced in ( |2.3|) up 
to order. In order to get the exact form we need a polynomial description of the permutation 
ipz introduced in ( |3.3| ). Clearly the linear polynomial <-Pz{u) := u + 1 + z + z 5 + z 6 G ¥[u] 
interpolates the affine map ^3. 

Concatenating the three polynomial maps we get: 



ip{u) = V3 oCo lfl (u) = l + z + z 5 + z 6 + £{u 254 ) mod u 256 + 



u. 



u 



Note that £ has at most 8 nonzero coefficients. Reducing £(w 254 ) by the relation u 256 
will not change this and this explains the sparsity of the polynomial <p(u). 

The fact that the permutation polynomial <p(u) is sparse does not imply that the inverse 
polynomial ip(u) is sparse. For this note that 



ip(u) = ip t 1 o C 1 o (p 3 L (u) mod u 25e + u. 
As before the coefficients of the polynomial are computed from: 

/ 

BSiL-yS- 1 



a \ 

2 



a 



(4.3) 



\a 2 ' J 
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Using Maple we find: 

C-\u) = (z 6 + z 5 + z 3 + z 2 + z) u 128 + ( z 7 + z e + z 4 + 2 ? + z + l) n 64 
+ (z 6 + z 4 + z 3 + l) u 32 + (z 6 + z 5 + z 4 + z 3 ) u m 
+ (z 6 + z 4 + z 3 + z)u 8 +(z 6 + z 5 + z 4 + z 3 + z 2 + z + 1) u 4 

+ (z 7 + z 6 + z 5 + z 4 + z 3 + z 2 + z)u 2 + (z 2 + l)ue ¥[u\. (4.4) 

Combining the result with the map ^^{u) one gets: 

p(u) := ZTV^O) = C-\u + <p 3 (0)) = C-\u) + C-\<p 3 (p)) = C-\u) + z 2 + 1. (4.5) 

A polynomial of the form p(u) is sometimes called an afflne polynomial || reflecting the 
fact that the map £ _1 <^3 1 is afhne linear over Z2. 

Concatenating p(w) with the polynomial tp^ (u) = y?i(w) = u 254 results in a non-sparse 
polynomial ip{u) = p(u) 254 mod u 256 + u. For completeness we provide the result of the 
Maple computation. The coefficients are expressed in terms of the primitive a = z 5 + 1. 



ip(u) = a 


163 u 254 + a 


76^253 + a 195 u 252 + ^186^251 + Q 


234^250 + a 194 u 249 + 


a 24 V 48 + 


a 255 U 247 




+ a 196 


u 246 + a 100 


U 245 + a 216 


U 244 + a 212 


u 243 + a 47 


« 242 +a 17 


« 241 +a 85 


U 240 + a 103 


u 239 4- a 201 


U 238 


■ a 18 V 37 


+ a 235 u 236 


+ a 21 V 35 


+ a 17 % 234 


+ a 74 u 233 


+ a 1 V 32 


+ aV 31 - 


f a 185 w 230 - 


f a 8 V 29 4 


- a 26 w 228 


a 231 u 227 


+ a 137 u 226 


fa 110 / 5 - 


f a 23 V 24 - 


fa 2 % 223 4 


-a 126 « 222 - 


fA 221 - 


f a n V 20 - 


ha 4 V 19 4- 


a 141 u 218 


a 56 u 217 - 


f a 2 V 16 + 


a 15 V 15 + 


a 20 V 14 + 


a 175 u 213 - 


-a 253 ^ 212 


+ a 147 u 211 


+ a 5 u 210 4 


- a 4 V 09 + 


a 194 u 208 


a 242 u 207 


+ a 202 u 206 


4-a 2 V 05 4 


-a 15 U 204 4- 


a 164 u 203 4 


■a n u™ + 


a 23 V 01 H 


-a 5 V 00 + 


a 121 u 199 4- 


a 163 u 198 


a 6 V 97 - 


f a 11 V 96 - 


1- a 23 V 95 - 


Ha 22 V 94 - 


h a 15 V 93 


+ a 227 u 192 


: + aV 91 


4-a 7 V 90 4 


- a 234 w 189 4 


-a 57 u 188 


a 13 V 87 


4-a 11 V 86 - 


f a"V 8B - 


f a 5 V 84 + 


a 22 V 83 4 


-a 228 u 182 - 


fa u V 81 


+ a 24 V 80 


+ a 8 V 79 H 


-a 55 u 178 


f a 55 u 177 


+ a 32 u 176 - 


f a 9 V 75 4 


- a 7 V 74 + 


a 8 V 73 + 


a 94 u 172 + 


a 4 V 71 + 


a 21 V 70 + 


a 157 u 169 + 


a 73 u 168 


a 209 u 167 


+ a 2 V 66 4 


-a 12 V 65 4 


a 12 V 64 + 


a 20 V 63 4 


-a 19 u 162 i 


-a 18 V 61 - 


fa 8 V 60 + 


a 177 u 159 + 


a 192 u 158 


a 211 u 157 


+ a"u 156 - 


N 195 « 155 - 


|-a M u 164 + 


a 17 V 53 - 


-a 67 u 152 -\ 


-a 13 V 51 


4-a 6 u 150 + 


a 122 u 149 + 


a 10 V 48 


a 198 u 147 


+ a 1 V 46 4 


a 13 V 45 4- 


a 10 V 44 + 


a 12 V 43 + 


a 24 V 42 4 


-a 18 V 41 - 


fa 85 U 140 + 


a 181 u 139 + 


a 169 u 138 


a 230 u 137 


+ a 2 V 36 4 


a 23 V 35 + 


a 13 V 34 4- 


a 10 V 33 + 


a 2 V 32 4- 


a 22 V 31 4 


-a 177 M 130 + 


a 16 V 29 + 


a 245 u 128 


a 13 u 127 - 


ha 14 V 26 4 


-a 9 V 25 + 


a 24 V 24 + 


a 224 u 123 4 


-a 3 V 22 + 


a 22 V 21 H 


-a 6 V 20 + 


a 125 u 119 + 


a 147 u 118 


f a 19 u 117 


+ a 7 V 16 - 


fa 5 V 15 4 


-a n V 14 4 


-a 8 V 13 4 


-a 12 V 12 - 


f aV n 4 


■ a 209 ^ 110 4 


-a 51 U 109 4- 


a 39 u 108 


■ a 4 V 07 - 


f a 10 V 06 - 


f a 15 V 05 ■ 


f a 20 V 04 


4 a 20 V 03 


+ aV 02 - 


f a 23 V 01 


4- a 4 V 00 - 


f a 188 U " 4 


- a 234 u 98 



+ a 59 u 97 + a 15 u 96 + a 131 u 95 + a 173 u 94 + a 135 u 93 + a 244 u 92 + a 216 u 91 + a 50 u 90 + a 218 u 89 + a 250 u 88 + a 108 u 87 
+ a 192 u 86 + a 45 u 85 + a 53 u 84 + a lm u 83 + a 92 u 82 + a 74 u 81 + a 15 V° 4- a 172 u 79 + a"u 78 + a 209 u 77 + a 236 u 76 



-a 212 u 75 + a 44 u 74 + a 209 u 73 - 



. a 175 u 72 + a Wl u 71 + ^41^70 + ^1^69 + ^163^68 + a 183 u 67 + ^245^66 + a 169 w 65 



4- a 58 u e4 + a 5 u e3 + a 68 u e2 + a e3 u 61 + a 202 u eo + a 138 u 59 + a 204 u 58 + a 1Q9 u 57 + a 173 u 56 + a 214 u 55 + a 61 u 54 
+ a 255 u 53 + a 185 u 52 + a 249 u 51 + a 15 V° 4- a 14 V 9 4- a 20 V 8 4- a 16 V 7 4- « 4 V 6 4- a 20 V 5 + a 156 u 44 + a 70 u 43 
+ a 2 u 42 + a 45 u 41 + a 81 u 40 + a 43 u 39 + a 121 u 38 + a 90 u 37 + a wl u 36 + a 252 u 35 + a 42 u 34 + a 17e u 33 + a 201 u 32 
+ a 22 u 31 + a 135 u 30 + a 250 u 29 + a 176 u 28 + a 76 u 27 + a 90 u 26 + a 247 u 25 + a 220 u 24 + a 123 u 23 + a 76 u 22 + au 21 
+ a 180 u 20 + a 108 u 19 + a 222 u 18 + a 54 u 17 + a 4 V 6 4- a 89 u 15 + a 240 u 14 + a 235 u 13 + a 208 u 12 + a 194 u n + a 2 u 10 
+ a 201 u 9 + a 67 u 8 + a 247 u 7 + a 56 u 6 + a 132 u 5 + a 16 u 4 + a 242 u 3 + a 223 u 2 + a 243 u + a 92 



10 



Other than the fact that ip{ u ) = p{u) 25A mod u 256 + u the author did not observe some 
regularity in the coefficients of ip(u). The complicated algebraic structure of the inverse S-Box 
shows that an algebraic attack on Rijndael which tries to recursively solve the decryption 
equations might be very hard indeed. Since <^(u) is much more sparse it might be more 
feasible to derive algebraic expressions of several rounds of the encryption schedule. 

Ferguson, Schroeppel and Whiting ]5| show a way to describe multiple rounds of the 
Rijndael algorithm using some continued fraction expansion. The derived formulas look very 
appealing. It is however not clear if there is any way to solve these formulas by algebraic 
means. Although algebraic expressions for several rounds of Rijndael were derived it is our 
belief that a compact polynomial description of several rounds of Rijndael will result in an 
explosion of the variables. Further research on this question will be needed. 

In the last part of this section we provide the cycle decomposition for the permutation of 
the S-Box. For this let a = z 5 + 1. We describe the cycles [ft, <p(ft), (p(ip(ft)), . . . ] expressed 
in terms of the primitive a: 



[a, a 113 , a 139 , a 115 , a 211 , a 233 , a 45 , a 150 , a 25 , a 6 , a 96 , a 133 , a 138 , a 80 , a 184 , a 130 , a 119 , a 116 , a 222 , a 164 , 
a 79 , a 114 , a 9 , a 165 , a 160 , a 98 , a 81 , a 131 , a 215 , a 181 , a 200 , a 125 , a 143 , a 41 , a 179 , a 202 , a 157 , a 70 , a 146 , 



a 92 ,0 1 a 210 ,a 232 ,a 11 \a 1 \a 192 ,a 72 ,a 18 ^a 212 ,a 2 \a w ^a 163 ,a 21 ^a 7 ^a 4 \a 17 \a 19 ^a 209 ,a 176 ,a} 



r 2 112 „37 161 242 „ 50 240 26 n 42 n 245 168 10 „ 228 „ 229 251 29 „ 76 247 „ 223 „ 243 
«,17 „49 197 225 3 104 „ 106 55 32 204 „ 203 „ 132 „ 206 „,19 226 „ 107 84 152 231 142 

a ,a ,a ,a ,a ,a ,a ,a ,a ,a ,a ,a ,a ,a ,a ,a ,a ,a ,a ,a , 
a 159 , a 140 , a 110 , a 162 , a 170 , a 248 , a 127 , a 82 , a 148 , a 180 , a 151 , a 31 , a 88 , a 227 , a 237 , a 85 , a 43 , a 95 , a 218 , a 71 , a 177 , 
a 121 , a 65 , a 188 , a 186 , a 77 , a 23 , a 187 , a 238 , a 167 , a 52 , a 145 , a 136 , a 149 , a 147 , a 123 , a 224 , a 20 , a 134 , a 195 , a 2 ] 



[a 4 , a 16 , a 69 , a 7 , a 62 , a 34 , a 183 , a 172 , a 208 , a 129 , a 220 , a 91 , a 230 , a 153 , a 87 , a 102 , a 234 , a 93 , a 51 , a 73 , 
a 155 , a 196 , a 253 , a 124 , a 101 , a 66 , a 235 , a 252 , a 193 , a 18 , a 94 , a 90 , a 144 , a 83 , a 5 , a 47 , a 194 , a 244 , a 118 , 
a 173 , a 120 , a 199 , a 250 , a 63 , a 156 , a 109 , a 221 , a 30 , a 86 , a 46 , a 126 , a 56 , a 44 , a 249 , a 33 , a 24 , a 201 , a 205 , a 191 , 
a 128 , a 67 , a 219 , a 239 , a 15 , a 217 , a 103 , a 141 , a 169 , a 241 , a 214 , a 59 , a 154 , a 207 , a 175 , a 178 , 



a 36 , a 97 , a 13 , a 28 , a 12 , a 74 , a 1 ' 



,a 8 ,a 14 ,a 58 ,a 108 ,a 75 ,a 4 l 



[a 22 , a 135 , a 64 , a 158 , a 190 , a 189 , a 100 , a 40 , a 60 , a 39 , a", a 61 , a 111 , a 166 , a 213 , a 27 , 



a 89 , a 246 , a 171 , a 137 , a 122 , a 254 , a 35 , a 57 , a 53 , a 236 , a 68 , a 22 ] 
[a 38 ,a 54 ,a 38 l 



It follows that (f has cycle lengths 59, 81, 87, 27 and 2 and order 

lcm (59, 81, 87, 27, 2) = 277, 182 

confirming the result given by Lenstra ||. We would like to remark that the largest order 
an element of the symmetric group of 256 elements can have is 451,129,701,092,070. In 
comparison to this the order of (p is not very large. 
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5 Conclusion 



In this paper we provided a description of the Advanced Encryption Standard Rijndael which 
involved a series of polynomial transformations in a finite ring R. Special attention was given 
to derive the permutation polynomials describing the S-Box and the inverse S-Box of the 
Rijndael system. 
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